Commit graph

17214 commits

Author SHA1 Message Date
Primiano Tucci
647d9163d6 Merge "Allow traced_probes to access battery coulomb counters" 2018-12-03 19:32:55 +00:00
Daniel Mentz
bbdb25f680 Allow hal_usb to call getsockopt on uevent socket
We are making a change to uevent_open_socket() in libcutils related to
setting the receive buffer size of netlink uevent sockets.

After setting SO_RCVBUF, we immediately read it back using getsockopt()
to verify that the setsockopt() call was effective. Only if it was not
effective, we call setsockopt() with SO_RCVBUFFORCE.

getsockopt() previously caused SELinux denials like the following:

 avc: denied { getopt } for comm="usb@1.1-service" scontext=u:r:hal_usb_default:s0 tcontext=u:r:hal_usb_default:s0 tclass=netlink_kobject_uevent_socket permissive=0

Bug: 119933843
Change-Id: I7bbb1eb1fa7ade2c94afc52ab1e28762f86a7d1f
2018-12-03 18:37:25 +00:00
Neil Fuller
f58b555de3 Track add of RuntimeService in system server
Adds the necessary incantations for the new service.

Bug: 118242715
Bug: 119026403
Test: build / boot / adb shell dumpsys
Change-Id: Ibb1a356067863316d70586a61ede9f5973c1ae15
2018-12-03 15:45:46 +00:00
Primiano Tucci
353b93a90c Allow traced_probes to access battery coulomb counters
Allows battery counters to be logged in the trace. This
is to allow high fidelity attribution of battery power.

Matching feature CL: aosp/838951

SELinux denials that lead to this:
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 duplicate messages suppressed
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { getattr } for comm="hwservicemanage" scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=process permissive=1


Bug: 113076327
Change-Id: I4aabd0d70025105320c4a8d34470098807d56899
2018-12-03 13:32:48 +00:00
Florian Mayer
3f8c271db8 Allow heapprofd to read system_file_type.
Heapprofd needs to read binary files and library in order to support
unwinding the stack. sytem_file does not include all thes files, e.g.
zygote_exec is only labeled as system_file_type.

Denials:

12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:177): avc: denied { read } for name="app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:178): avc: denied { open } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:179): avc: denied { getattr } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1

Change-Id: Ie04b722a78ff6367729930ee0ef96f48ccf6aa55
Bug: 117762471
2018-12-03 13:12:15 +00:00
Jiyong Park
ce15e5e510 Allow apexd to label apk_tmp_file to apex_data_file
Currently, when an APEX is staged, apexd moves the file from
/data/app/vmdl*.tmp directory to /data/apex. However, the original file
is labeled with apk_tmp_file and is not readable from apexd.

We plan to resolve this issue by moving the file content via file
descriptor in between the package manager and apexd.

However, until the plan is implemented, temporarily allow apexd to
relabel the file to apex_data_file that is readable to it. This unblocks
the end-to-end test for APEX.

Bug: 112669193
Test: adb install --apex system/apex/apexd/apexd_testdata/test.apex
adb reboot; adb root; adb shell; cmd apexservice getActivePackages
The test APEX is activated

Change-Id: Ib9d4f5c699261f1fa1e6d557731767ee4d7168f9
2018-12-03 22:05:24 +09:00
Treehugger Robot
bd0fa53a66 Merge "SEPolicy changes to allow kcov access in userdebug." 2018-12-01 04:13:09 +00:00
Kevin Chyn
5ea85b5f75 Merge "Add placeholder iris and face policy for vold data directory" 2018-12-01 00:55:20 +00:00
Treehugger Robot
f0c411c5f1 Merge "Add public Codec2 HIDL interfaces" 2018-12-01 00:27:21 +00:00
Paul Crowley
f9f7539430 Abolish calls to shell in vold
Never use popen, just execvp directly

Test: Two tests
- Ensure Marlin device boots and vold_prepare_subdirs is called
successfully
- Try adb shell sm set-virtual-disk true, see that eg sgdisk output is
logged.
Bug: 26735063
Bug: 113796163

Change-Id: Icb34140429db85098a0118a2b833772e3620e7ac
2018-11-30 16:02:04 -08:00
Kevin Chyn
91c2580bce Add placeholder iris and face policy for vold data directory
This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.

Test: vold is able to create directories, ag/5534962

Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-30 11:37:19 -08:00
Dan Austin
55d9096652 SEPolicy changes to allow kcov access in userdebug.
This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.

Bug: 117990869

Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-30 10:56:29 -08:00
Treehugger Robot
44ffb0b3c4 Merge "system_server: Allow binder connections to iorapd" 2018-11-30 18:52:13 +00:00
Pawin Vongmasa
7d9d64dcd9 Add public Codec2 HIDL interfaces
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 112362730
Bug: 119853704

Change-Id: Ie84dab48c4f068eb1f6289b5c022525cd06ef7fc
2018-11-30 05:11:21 -08:00
Tri Vo
2725edc658 Wider neverallow rules for coredomain /dev access.
"iio_device", "radio_device" must not be accessed by coredomain on all
devices. And "tee_device" must not be accessed by coredomain on Treble
devices.

Bug: 110962171
Test: m selinux_policy
Test: mmma system/sepolicy
Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
2018-11-29 19:01:48 -08:00
Igor Murashkin
68b2f98b8b system_server: Allow binder connections to iorapd
Bug: 72170747
Change-Id: I835e6a93cf797f939b808eb6025939d053d509ae
2018-11-29 15:37:22 -08:00
Tri Vo
9cded32f6a Merge "Remove coredomain /dev access no longer needed after Treble" 2018-11-29 19:27:54 +00:00
Treehugger Robot
ad1654797a Merge "Allow init to set powerctl property" 2018-11-29 16:56:19 +00:00
felkachang
196b12eb3e Track isolated_app SELinux denial.
The isolated service that do nothing for AIDL's APIs still got the
SELinux denied. This should fix presubmit test.

01-01 00:00:22.103  5831  5831 I auditd  : type=1400 audit(0.0:6): avc:
denied { getattr } for comm="convert.service"
path="/data/data/com.android.providers.media" dev="sda35" ino=1442136
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=dir
permissive=0

Test: build
Bug: 119596573

Change-Id: Ie58326ba217ed6ca56ca9933c6664896ac3d327a
2018-11-29 07:07:55 +00:00
Tri Vo
8a6cc52ed7 Remove coredomain /dev access no longer needed after Treble
According to go/sedenials (internal dogfooding), coredomain access to
following types is not exercised and can be removed:
iio_device
radio_device
tee_device

Access to audio_device is still needed since some ALSA interfaces
(/dev/snd/*) are directly used by system_server.

Bug: 110962171
Test: m selinux_policy
Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad
2018-11-29 04:56:18 +00:00
Nick Kralevich
0096e7af57 Merge "Move some rules around" 2018-11-29 04:52:12 +00:00
Treehugger Robot
c22d14ba99 Merge "checkseapp: check the size of key value pairs" 2018-11-29 03:37:57 +00:00
Bill Yi
069ebe0e07 Merge pi-qpr1-release PQ1A.181105.017.A1 to pi-platform-release
Change-Id: I94ccbff6a38bfa1c27eb39b0caf4ec0ab97fee3e
2018-11-28 18:35:05 -08:00
Nick Kralevich
1e5021c450 Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:55:21 -08:00
liwugang
eb74dd9f86 checkseapp: check the size of key value pairs
OOB write if the size of the key value pairs exceeds the max.

Test: Add a long line to the seapp_contexts file

Change-Id: Iaa3e697e7ac134eb6829b8b36b090997ca344b3a
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-11-29 00:43:50 +00:00
Florian Mayer
b1dad09679 Allow heap profiling everything except TCB on userdebug.
Bug: 117762471
Test: m
Test: flash sailfish
Test: profile all running processes with setenforce 1

Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
2018-11-28 22:01:58 +00:00
Yifan Hong
ea9cf8148e Merge "Add rules to dump health traces" 2018-11-28 21:54:46 +00:00
Treehugger Robot
b2d0d4a593 Merge "[gpuservice] allow "adb shell cmd gpu vkjson"" 2018-11-28 02:39:56 +00:00
Treehugger Robot
c1ab4aef0b Merge "Add compile time check for expanded attribute neverallow failure" 2018-11-28 02:23:28 +00:00
Yifan Hong
0d53ef2c91 Add rules to dump health traces
Test: bugreport
Bug: 119809588
Change-Id: Ia688d68120daebc0a4feb51c4745535e1b371594
2018-11-27 17:36:07 -08:00
Hongyi Zhang
b7aee4439e Merge "grant system_server read permission of server_configurable_flags_data" 2018-11-28 00:41:09 +00:00
Yiwei Zhang
ff0f79c195 [gpuservice] allow "adb shell cmd gpu vkjson"
Also allow adb shell dumpsys gpu to not return error.

Bug: 120095213
Test: flash non-eng build and adb shell cmd gpu vkjson
Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571
2018-11-27 15:58:20 -08:00
Branden Archer
d36b1d5f62 Allow init to set powerctl property
NIAP certification requires that all cryptographic functions
undergo a self-test during startup to demonstrate correct
operation. init now performs this check during startup.

The self-test is forked from init. For the child process
to be able to request a reboot it needs permissions to
set the sys.powerctl property.

Bug: 119826244
Test: Built for walleye. When the BoringSSL self test was forced
      to fail the device rebooted into the bootloader, as
      expected.

Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6
2018-11-27 15:47:12 -08:00
Nick Kralevich
94c88932d8 Add compile time check for expanded attribute neverallow failure
The SELinux policy language supports an expandattribute statement.
Similar to the C "inline" declaration, this expands the permissions
associated with types, instead of using the attribute directly. Please
see
1089665e31
for more detail on this language option.

Expansion of attributes causes consistency problems with CTS. If a
neverallow rule exists which refers to an expanded attribute, the CTS
neverallow test will fail, because the policy does not have the
attribute embedded in it. Examples:

  * b/119783042 (fixed in 536d3413b8)
  * b/67296580 (fixed in 6f7e8609f9)
  * b/63809360 (fixed in 89f215e6a0)
  etc...

Instead of waiting for the CTS test to fail, modify the Android.mk file
so that we do checks similar to CTS. This allows us to fail at compile
time instead of waiting for a CTS bug. For example, for b/119783042,
instead of the compile succeeding, it will now fail with the following
error message:

  [ 70% 190/268] build out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
  FAILED: out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows
  /bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c
  30 -o out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
  out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy.conf ) &&
  (out/host/linux-x86/bin/sepolicy-analyze
  out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
  neverallow -w -f out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/policy_2.conf
  || 	  ( echo \"\" 1>&2; echo \"sepolicy-analyze failed. This is most likely due to the use\" 1>&2;
  echo \"of an expanded attribute in a neverallow assertion. Please fix\" 1>&2;
  echo \"the policy.\" 1>&2; exit 1 ) ) &&
  (touch out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp )
  && (mv out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows.tmp
  out/target/product/crosshatch/obj/ETC/sepolicy_neverallows_intermediates/sepolicy_neverallows )"
  libsepol.report_failure: neverallow violated by allow vold hal_bootctl_default:binder { call };
  libsepol.check_assertions: 1 neverallow failures occurred

  sepolicy-analyze failed. This is most likely due to the use
  of an expanded attribute in a neverallow assertion. Please fix
  the policy.
  15:44:27 ninja failed with: exit status 1

Test: Revert 536d3413b8 and verify compile
      fails as above.
Test: Compile succeeds
Bug: 119783042

Change-Id: I5df405b337bb744b838dadf53a2234d8ed94bf39
2018-11-27 15:44:31 -08:00
Hongyi Zhang
b61ac077dd grant system_server read permission of server_configurable_flags_data
server_configurable_flags_data_file is used for storing server
configurable flags which have been reset during current booting.
system_server needs to read the data to perform related disaster
recovery actions.
For how the data is read, see SettingsToPropertiesMapper.java.

Test: build succeeds & manual on device
Change-Id: Ifa22aecc13af2c574579299d28433622abbe6b85
2018-11-27 13:29:08 -08:00
Daniel Rosenberg
478ca55bfe Allow vold to remount
remount is needed for commiting checkpoints under f2fs

Test: vdc checkpoint commitChanges
Bug: 111020314
Change-Id: If7d4ab641b59d3e942d9d8a72bd91be08680227b
2018-11-27 21:17:59 +00:00
Mikhail Naganov
d81a36ad47 Merge "Allow audioserver to access persist.log.tag" 2018-11-27 19:16:26 +00:00
Nick Kralevich
f56b5d9792 Merge "use hal_bootctl_server in neverallow rule" 2018-11-27 17:27:48 +00:00
Nick Kralevich
536d3413b8 use hal_bootctl_server in neverallow rule
Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.

Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.

Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178

Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca
2018-11-26 23:17:28 -08:00
Nick Kralevich
6b2a4aeacf use tmpfile during build
During the build process, use a temporary file until we've determined
that every step of the build process has completed. Failure to do this
may cause subsequent invocations of the make command to improperly
assume that this step ran to completion when it didn't.

Test: code compiles.
Change-Id: I9a28e653e33b61446a87278975789376769bcc6a
2018-11-26 14:29:06 -08:00
Treehugger Robot
c3b3fdf8d6 Merge "Remove permission for APEX manifest." 2018-11-24 21:04:17 +00:00
Dario Freni
4df603a038 Remove permission for APEX manifest.
There is no real need to access the manifest.json (which is being
renamed in other CLs anyway). So remove the access to it.

Bug: 119672727
Test: m, installed on device, boots.
Change-Id: I2d82062031da36f871b2a64d97a50a6f1e6fc3dd
2018-11-24 17:19:05 +00:00
Treehugger Robot
017c1ac1ed Merge "SELinux policy for new managed system update APIs" 2018-11-23 11:33:00 +00:00
Neda Topoljanac
bffe163b13 SELinux policy for new managed system update APIs
We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.

Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669
2018-11-22 17:46:31 +00:00
Treehugger Robot
d1b18a797e Merge "Allow to execute postinstall in adb sideload" 2018-11-22 05:05:00 +00:00
Yifan Hong
1817cbde14 Allow to execute postinstall in adb sideload
In recovery, everything is labeled rootfs, including
/system/bin/*. Allow postinstall to execute them in recovery.

Test: sideload
Bug: 116608795
Fixes: 119877813
Change-Id: I5682bdecd0df1cb9ff3bc968ea29449b0b8588f4
2018-11-21 16:23:45 -08:00
Nick Kralevich
ddd43bfcc9 allow recovery FUNCTIONFS_ENDPOINT_DESC
Commit ebc3a1a34c ("Move to ioctl
whitelisting for plain files / directories", Oct 10th), enabled ioctl
filtering on all files, including functionfs files. However, recovery
performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so
allow it.

Addresses the following denial:

  audit: type=1400 audit(673009.476:507811): avc:  denied  { ioctl } for  pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

Test: policy compiles.
Bug: 119877813
Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
2018-11-21 12:42:42 -08:00
Treehugger Robot
ac317b915e Merge "Add com.android.resolv-file_contexts to /system/sepolicy/apex" 2018-11-21 13:10:13 +00:00
chenbruce
a5121f64a6 Add com.android.resolv-file_contexts to /system/sepolicy/apex
Gathering file contexts for all APEXes there for easier auditing.

Test: m com.android.resolv
Bug: 119527674
Change-Id: I0f06c21c77f4b537e7c7d590204569f4531b5302
2018-11-21 14:39:33 +08:00
Nick Kralevich
bacf448bdb allow system_server BLKSECDISCARD BLKDISCARD
Used at:
7271c452a9/services/core/jni/com_android_server_PersistentDataBlockService.cpp (60)

Addresses the following denials:
  audit(0.0:413): avc: denied { ioctl } for comm="Binder:1365_1C" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=127d scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0
  audit(0.0:410): avc: denied { ioctl } for comm="Binder:1365_3" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=1277 scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: I7614b6269031b7912a7b93dc5307f5687458fba8
2018-11-20 17:57:04 -08:00